how to cisco external web authentication

How to Cisco external web authentication

Bo Nielsen, CCIE #53075 (Sec)

Oktober 2016, V1.00


Bo Nielsen, CCIE #53075 (Sec) Side 1

Overview The principle is that the user connects to a wireless network, and the network must be open. An

open network with captive portal always starts with providing access to the network with an IP

address, and in this phase DNS implicitly allowed. The principle is to make an http-redirect at the

first http-request, and here the WLC will spoof the original destination IP address, and the browser

think that it communicates with the requested web page.

Redirect http on Cisco WLC is either to a local web page or to an external web page.

In both cases the web page must guide the user's web browser to send the login credentials to the

virtual interface (1.1.1.1). When login is delivered as https and the authentication may be made

locally from WLC itself or via a RADIUS. With RADIUS the login can be approved by Windows AD.

The process of external web authentication is illustrated here:

For authentication via RADIUS the Cisco WLC by default uses PAP and can be set to either PAP, CHAP

or MD5-CHAP under Security -> General.

DNS for www.dr.dk

http://www.dr.dk

Redirect = http://10.100.200.78/guest/cisco.php

Get = http://10.100.200.78/guest/cisco.php

Login page (skin)URL=http://10.100.200.78/guest/cisco.php?Switch_url=https://1.1.1.1/login.html

Submit login

DNSWLC Web Auth

Aruba Clearpass

RADIUS

www.dr.dk

http://www.dr.dk

Success page

https://1.1.1.1/login.html

10.100.200.78

PAP

Win-AD

LDAPLDAPS



Aruba Clearpass An overview of the service rule, enforcement policy and enforcement profile is:

The enforcement profile uses the attribute Session-Timeout to set the timer for the session.

The session time is stored on the Cisco WLC after successful authentication.

In this example the session-timeout is set to 1 hour (3600s), and the user is approved for 1 hour.

When reaching 1 hour the captive portal is displayed again, and the user must re-enter their login.

In practice the session timeout can be set to a higher value than 1 hour.

On Aruba Clearpass the configuration tasks are:

1. Authentication source from Windows AD.

2. Enforcement profile

3. Enforcement policy to set the session timeout

4. Service rule with authentication source, authentication method and enforcement policy

Enforcement policy”CWA-WLAN-enforcement”

Service”CWA-WLAN-service”

WLC(NAD)

NAS-Port-Type = Wireless-802.11Service-Type = Login-User

Authentication methodPAP

RADIUS:IETFSession-Timeout =

3600

Authentication sourceWindows AD

Enforcement profile”CWA-WLAN-profile”



Enforcement profile

Configuration -> Enforcement -> Profiles

Enforcement policy

Configuration -> Enforcement -> Policies



Service rule

Configuration -> Services



External web page on Aruba Clearpass

Configuration -> Pages - Web Logins

It is very important to select The controller will send the IP to submit credentials.



Cisco Wireless LAN Controller Start by checking that the Cisco WLC uses PAP.

Controller -> General

Next verification is that the installed certificate for Web Auth has the common name set to 1.1.1.1 or

the certificate has the SAN field set to 1.1.1.1 as an IP address.

Security -> Web Auth -> Certificate

In this example I have used a certificate from an internal PKI, and it can be used for testing purpose

only because the external users have not installed the root certificate from the internal PKI. In

practice a public certificate should be used for example from Verisign, GoDaddy, DigiCert etc.



Radius

Security -> RADIUS -> Authentication

In this example the Aruba Clearpass is the radius of the IP address 10,100,200.78.

Note: The name of the SSID can not be used as a condition for a service rule on Aruba Clearpass, and

this is because the Cisco WLC sends the index number of the SSID. If SSID index should be included in

a service rule, then Auth Called Station ID Type must be changed to a type where the SSID index is

included in RADIUS-request.

Security -> RADIUS -> Accounting

Access Control Lists

Security -> Access Control Lists - Access Control Lists

The ACL gives access to the website on Aruba Clearpass and DHCP. DNS is allowed by the WLC.



WLAN In this example it is a setup with the SSID name Ford, and the management interface is used for WiFi

clients and they obtain their IP address from this interface.

General

Security (open SSID), Layer 2

Security (Web Auth), Layer 3

Pre Authentication ACL restricts traffic to Aruba Clearpass until the user is authenticated.



Security (Radius), AAA Servers

Advanced

It is important to select the Allow AAA Override. This causes the session-timeout from RADIUS to

become the active session timer. If overide not selected, the value for Session Timeout on the Cisco

WLC (here 600) sets the session-timeout. For an open SSID the NAC State must be set to None.

Redirect af https

By default on Cisco WLC the redirect for https is disabled. You can enable https redirect with:

config network web-auth https-redirect enable

If selected there will always be a certificate warning because the DNS name in the URL does not

match with the Cisco WLC certificate for Web Auth (default CN = 1.1.1.1).



Verification Before approval



After approval

how to cisco external web authentication

Documents